pkexec: PATH environment variable

  • Open
  • quality assurance status badge
Details
2 participants
  • Hamzeh Nasajpour
  • Liliana Marie Prikler
Owner
unassigned
Submitted by
Hamzeh Nasajpour
Severity
normal
H
H
Hamzeh Nasajpour wrote on 21 Nov 2021 09:03
(address . bug-guix@gnu.org)
46b16bf3-e41c-4ccf-9817-879df6eeb8cb@www.fastmail.com
The `PATH` environment variable is hard-code here:

We don't have any executable in these paths in guix:
```
/usr/sbin:/usr/bin:/sbin:/bin:/root/bin
```

Replicate the issue:
1. Run the `pkexec`
2. Enter your password
3. run `echo $PATH` in the opened terminal
4. You will see this path: `/usr/sbin:/usr/bin:/sbin:/bin:/root/bin`
5. You can't run most of the commands. (`ls`, `passwd`, `chpasswd` and so on.)

Expected Behavior:
Running all of the commands without any error.

Isn't it? Should not we patch the `PATH` environment variable in `pkexec` source codes? Either way, some applications like `lxqt-admin-user` and `lxqt-admin-time` has an issue and they can't run the commands via `pkexec`. I get this error when I want to change user password via `lxqt-admin-user`. It's using `pkexec` to change password.

```
/run/current-system/profile/bin/lxqt-admin-user-helper: line 7: exec: passwd: not found
```

--

Hamzeh Nasajpour
PantherX Team
L
L
Liliana Marie Prikler wrote on 21 Nov 2021 15:52
57fde5d78af3ecc18b57191238cd81b0de65378e.camel@gmail.com
Hi,

Am Sonntag, den 21.11.2021, 11:33 +0330 schrieb Hamzeh Nasajpour:
Toggle quote (26 lines)
> The `PATH` environment variable is hard-code here:
>
> https://github.com/freedesktop/polkit/blob/master/src/programs/pkexec.c#L882-L886
>
> We don't have any executable in these paths in guix:
> ```
> /usr/sbin:/usr/bin:/sbin:/bin:/root/bin
> ```
>
> Replicate the issue:
> 1. Run the `pkexec`
> 2. Enter your password
> 3. run `echo $PATH` in the opened terminal
> 4. You will see this path: `/usr/sbin:/usr/bin:/sbin:/bin:/root/bin`
> 5. You can't run most of the commands. (`ls`, `passwd`, `chpasswd`
> and so on.)
>
> Expected Behavior:
> Running all of the commands without any error.
>
> Isn't it? Should not we patch the `PATH` environment variable in
> `pkexec` source codes? Either way, some applications like `lxqt-
> admin-user` and `lxqt-admin-time` has an issue and they can't run the
> commands via `pkexec`. I get this error when I want to change user
> password via `lxqt-admin-user`. It's using `pkexec` to change
> password.
I'm getting some flashbacks from my ITSec courses here. pkexec is
protecting itself against a malicious PATH attack. The paths are
chosen somewhat arbitrarily, but on traditional distros this ought to
ensure, that no privilege escalation occurs. We could inject
/run/current-system, given that /run likewise ought to be root-writable
only, but I'm not sure how much that helps. The obvious solution is to
use canonical (store) paths with pkexec.

Cheers
H
H
Hamzeh Nasajpour wrote on 28 Nov 2021 08:39
538d2dd4-7777-49ad-b0e5-8ceb12d03c60@www.fastmail.com
Hi Lillana,

Thanks for your response and sorry for delay.

Toggle quote (4 lines)
> We could inject /run/current-system, given that /run likewise ought to be root-writable
> only, but I'm not sure how much that helps. The obvious solution is to
> use canonical (store) paths with pkexec.

Honestly, I couldn't find out your solution. Can you clarify it?

Regards,

--

Hamzeh Nasajpour
PantherX Team
L
L
Liliana Marie Prikler wrote on 9 Sep 2022 18:10
0b97c774c903f45cb9ca3efbb12d55459d7d45c8.camel@gmail.com
Am Sonntag, dem 28.11.2021 um 11:09 +0330 schrieb Hamzeh Nasajpour:
Toggle quote (11 lines)
> Hi Lillana,
>
> Thanks for your response and sorry for delay.
>
> > We could inject /run/current-system, given that /run likewise ought
> > to be root-writable
> > only, but I'm not sure how much that helps.  The obvious solution
> > is to
> > use canonical (store) paths with pkexec.
>
> Honestly, I couldn't find out your solution. Can you clarify it?
That is instead of writing "pkexec sh", write "pkexec /run/current-
system/profile/bin/sh" or similar.

Cheers
?